b'-J\n\n\n\n1~1\n                                       OFFICE OF INSPECTOR GENERAL\n                                     EXPORT-IMPORT BAJ\'IK oftbe UNITED STATES\n\n\n\n\n      Apri l 22, 2014\n\n\n\n      A. Roy Lavik\n      Inspector Genera l\n      U.S. Commodity Futures Trading Commission\n      Three Lafayette Centre\n      1155 21st Street, NW\n      Washington, DC 20581\n\n      Dear Mr. Lavik:\n\n      We have reviewed the system of quality control for the audit organization of\n      Commodity Futures Trading Commission Office of the Inspector General (CFTC OIG) in\n      effect for the period Aprill, 2010, through March 31, 2013, and have issued our report\n      thereon dated April 22, 2014, in which CFTC OIG received a rating of pass with\n      deficiencies. That report should be read in conjunction with the comments in this letter,\n      which were considered in determining our opinion. The findings below were not\n      considered to be of sufficient significance to affect the opinion expressed in that report.\n\n      Finding 1 - Policies and Procedures\n\n      GAS 3.92 states "When performing GAGAS audits, audit organizations should have\n      policies and procedures for the safe custody and retention of audit documentation for a\n      time sufficient to satisfy legal, regulatory, and administrative requirements for records\n      retention. Whether audit documentation is in paper, electronic, or other media, the\n      integrity, accessibility, and retrievability of the underlying information could be\n      compromised if the documentation is altered, added to, or deleted without the\n      auditors\' knowledge, or if the documentation is lost or damaged. For audit\n      documentation that is retained electronically, the audit organization should establish\n      effective information systems controls concerning accessing and updating the audit\n      documentation." We found that CFTC\'s policies do not address electronic media.\n      Majority of workpapers were electronic and they are working on transitioning to\n      TeamMate for workpaper storage. Their policies and procedures should reflect their\n      current practices.\n\n      GAS 3.95 states "The audit organization should analyze and summarize the results of its\n      monitoring process at least annually, with identification of any system ic or repetitive\n      issues needing improvement, along with recommendations for corrective action. The\n      audit organization should communicate to appropriate personnel any deficiencies noted\n\x0c                                                                                          2\n\n\nduring the monitoring process and make recommendations for appropriate remedial\naction ." We found that CFTC\'s policies and procedures do not address annual\nsummaries of the results of its monitoring process.\n\nGAS 3.105 "An external audit organization should make its most recent peer review\nreport publicly available. For example, an audit organization may satisfy this\nrequirement by posting the peer review report on a publicly available web site or to a\npublicly available file designed for public transparency of peer review results." We\nfound that CFTC GIG\'s policy does not address the posting of the peer review report for\nthe public.\n\nIn addition, CFTC GIG\'s policy does no reference GAS 6.23 through 6.27 to ensure\nauditors obtain an understanding of information systems controls when information\nsystems are used extensively throughout the program under audit and the fundamental\nbusiness processes related to the audit objectives rely on information systems.\n\nGAS 6.50 states; "If an audit is terminated before it is completed and an audit report is\nnot issued, auditors should document the results of the work to the date of termination\nand why the audit was terminated. Determining whether and how to communicate the\nreason for terminating the audit to those charged with governance, appropriate officials\nof the audited entity, the entity contracting for or requesting the audit, and other\nappropriate officials will depend on the facts and circumstances." We found that there\nis no terminology in CFTC GIG\'s policies and procedures regarding the preparation of\nappropriate documentation for engagements terminated prior to completion.\n\nWe also found that CFTC GIG\'s policy does not address if and how attestation\nengagements or non-audit services would be performed. In addition, the overall policy\nis not up to date with Government Auditing Standards 2011 revision.\n\nRecommendation\n\n1. CFTC GIG should update their policy and procedures to addresses the findings\nidentified and ensure compliance with GAS 2011 revision.\n\n   CFTC OIG Response. The six comments provided by Ex-lm GIG, all address CFTC-GIG\n   audit policies and procedures manual. Four of the issues raised were not presented\n   to us before issuance of the draft peer review report. We agree with one of the four\n   issues along with the two other issues raised. Changes have been made to our\n   policies and procedures manual to address these three issues.\n\n   Three of the comments in the letter incorrectly state that the policies and\n   procedures manual we provided was missing certain guidance. During the exit\n   conference Ex-1m GIG staff was advised where the guidance was located in the\n   policies and procedures manual we had provided them. However the letter was not\n\x0c                                                                                             3\n-1\n~\n\n\n        corrected. Specifically: 1) guidance on summarizing CFTC-OIG monitoring process is\n        located at sections 402.00 and 900.06; 2) guidance on auditors\' reliance on\n        electronic information systems is located at section 400.06; and 3) guidance on\n        documenting the termination of a GAGAS audit is located at 400.07.\n\n        Evaluation of CFTC OIG\'s Response. A draft report and the comment letter were\n        provided on two separate occasions. The first preliminary copy was provided to\n        CFTC OIG on February 6, 2014 and on March 5, 2014, the official draft was issued to\n        CFTc-OIG for comments. The commenrlefter aldnorchange in either velsion\n        provided. In addition, we concur that their policy sections 402.00 and 900.06\n        mentions CFTC\'s OIG monitoring process but Government Auditing Standards also\n        requires an annual analysis and summary of those results. The annual analysis and\n        summary should be included. We also concur that Section 400.06 provides guidance\n        on auditor\'s reliance on electronic information systems; however, we suggest that\n        CFTC OIG\'s policy reference GAS 6.23 through 6.27. Finally, the original reference\n        that CFTC provided Ex-lm OIG to their policy did not reference termination of GAGAS\n        audits. During our review we identified this issue to CFTC OIG to include providing a\n        copy of the comment letter on two separate occasions. The reference to 400.07\n        does mention termination and we consider this issue resolved.\n\n        If CFTC OIG takes steps to update their policy and addresses the findings it will\n        resolve this recommendation.\n\n\n\n\n      ~~\n     Osvald~~---\xc2\xad\n     Inspector General\n\x0c'